The Hitchhikers Guide to the SHA-3 Competition Orr Dunkelman - PowerPoint PPT Presentation

History First Second Third The Hitchhiker’s Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department University of Haifa 4 July, 2012 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 46

History First Second Third Outline 1 History of Hash Functions What is a Hash Function The MD/SHA Family of Hash Functions A(n Extremely) Short History of Hash Functions 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates Security of the SHA-3 Finalists The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 46

HF MD5/SHA1 History History First Second Third Outline 1 History of Hash Functions What is a Hash Function The MD/SHA Family of Hash Functions A(n Extremely) Short History of Hash Functions 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates Security of the SHA-3 Finalists The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? [DH76] There is, however, a modification which eliminates the expansion problem when N is roughly a megabit or more. Let g be a one-way mapping from binary N-space to binary n-space where n is approximately 50. Take the N bit message m and operate on it with g to obtain the n bit vector m ′ . Then use the previous scheme to send m ′ . . . Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 4/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? (cont.) ◮ (Cryptographic) Hash Functions are means to securely reduce a string m of arbitrarily length into a fixed-length digest. Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 5/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? (cont.) ◮ (Cryptographic) Hash Functions are means to securely reduce a string m of arbitrarily length into a fixed-length digest. 0x256C795AC8222D4F90EA836D69687B68 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 5/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? (cont.) ◮ (Cryptographic) Hash Functions are means to securely reduce a string m of arbitrarily length into a fixed-length digest. 0x6CA0B3C905C0DDABA60E08BFA9A9B8BD Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 5/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? (cont.) ◮ The main problem is the definition of securely. ◮ For signature schemes, two basic requirements exist: 1 Second preimage resistance: given x , it is hard to find x ′ s.t. h ( x ) = h ( x ′ ). 2 Collision resistance: it is hard to find x 1 , x 2 s.t. h ( x 1 ) = h ( x 2 ). Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 6/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? (cont.) ◮ The main problem is the definition of securely. ◮ For signature schemes, three basic requirements exist: 1 Preimage resistance: given y = h ( x ), it is hard to find x (or x ′ , s.t., h ( x ′ ) = y ). 2 Second preimage resistance: given x , it is hard to find x ′ s.t. h ( x ) = h ( x ′ ). 3 Collision resistance: it is hard to find x 1 , x 2 s.t. h ( x 1 ) = h ( x 2 ). Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 6/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? (cont.) ◮ Hash functions were quickly adopted in other places: ◮ Password files (storing h ( pwd , salt ) instead of pwd ). ◮ Bit commitments schemes (commit — h ( b , r ), reveal — b , r ). ◮ Key derivation functions (take k = h ( g xy mod p )). ◮ MACs (long story). ◮ Tags of files (to detect changes). ◮ Inside PRNGs. ◮ Inside protocols (used in many “imaginative” ways). ◮ . . . Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 7/ 46

HF MD5/SHA1 History History First Second Third What is a Hash Function? (cont.) The Hitch Hiker’s Guide to the Galaxy has a few things to say on the subject of hash functions. A hash function, it says, is about the most massively useful thing a cryptographer can have. Partly it has great practical value — you can use it to replace random oracles in real protocols when you need them; you can use them to make signatures faster; you can use it along with salts to have better password files; you can commit to bits using it; you can derive keys using it; produce pseudo random numbers using it; authenticate data with it, and of course, just hash the data when you need a digest. More importantly, a hash function has immense psychological value. For some reason, if a strag (strag: non-cryptographer) discovers that a cryptographer has his hash function with him, he will automatically assume that he is also in possession of a symmetric-key encryption, a public-key encryption, a voting protocol, a zero-knowledge protocol, etc. etc. Furthermore, the strag will then happily implement for the cryptographer any of these or a dozen other protocols that the cryptographer is too “busy” do himself. What the strag will think is that any cryptographer who can design protocols, follow bits, avoid differentials, and SAT solvers, and still knows where his hash function is is clearly a man to be reckoned with. Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 8/ 46

HF MD5/SHA1 History History First Second Third The MD/SHA Family ◮ Started with Rivest’s MD4. ◮ Following a few cryptanalytic attempts, was upgraded to MD5. ◮ MD5, also known to many as md5sum generate tags of 128 bits. ◮ Became very popular given its high speed, alleged security, and lack of true competition. . . ◮ Later, it was used as the basis for the SHA-0 and SHA-1 hash functions. Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 9/ 46

HF MD5/SHA1 History History First Second Third The MD5 Hash Function ◮ To hash a message M the following steps are performed: 1 M is padded with ‘1’ as many 0’s as needed (up to 512) and the original length of M encoded in 64 bits, such that the length of the padded message pad ( M ) is divisible by 512. 2 pad ( M ) is divided into ℓ blocks of 512 bits, i.e., pad ( M ) = m 1 , m 2 , . . . , m ℓ . 3 The 128-bit chaining value h 0 is initialized. 4 For i = 1 , 2 , . . . , ℓ , h i = H ( h i − 1 , m i ) (the compression function is applied). 5 The output is h ℓ m ℓ m m m m 1 2 3 i f f f f f f h ( M ) IV Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 10/ 46

HF MD5/SHA1 History History First Second Third The MD5 IV ◮ The internal state (chaining value) of MD5, is treated as four words of 32-bit each: A , B , C , D . ◮ The initial value h 0 is: A = 0x67452301 B = 0xEFCDAB89 C = 0x98BADCFE D = 0x10325476 (this initial value is given in a little-endian manner) Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 11/ 46

HF MD5/SHA1 History History First Second Third The MD5 Compression Function ◮ Let h i − 1 = ( A 0 , B 0 , C 0 , D 0 ). ◮ Let the message block be M i = ( W 0 , W 1 , . . . , W 15 ) ◮ For i = 0 , 1 , . . . , 63: 1 D i +1 ← C i 2 C i +1 ← B i 3 B i +1 ← B i + ( A i + F i ( B i , C i , D i ) + K i + W g ( i ) ) ≪ s i 4 A i +1 ← D i ◮ h i ← ( A 0 + A 64 , B 0 + B 64 , C 0 + C 64 , D 0 + D 64 ). All additions are modulo 2 32 , and ≪ stands for rotation to the left. Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 12/ 46

HF MD5/SHA1 History History First Second Third The MD5 Compression Function A 0 B 0 C 0 D 0 ⊞ K 1 W 1 ⊞ ⊞ f 1 s 1 ≪ ⊞ ⊞ K i ⊞ W i ⊞ f i s i ≪ ⊞ Feed Forward Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 13/ 46

HF MD5/SHA1 History History First Second Third The MD5 Compression Function (cont.) ◮ Each round, a different message word is used, a different round constant is used, and a different function and rotations: 0 ≤ t ≤ 15: f t ( X , Y , Z ) = XY ∨ ( ¬ X ) Z g ( t ) = t 16 ≤ t ≤ 31: f t ( X , Y , Z ) = XY ∨ ( ¬ Z ) X g ( t ) = (5 · t + 1) mod 16 32 ≤ t ≤ 47: f t ( X , Y , Z ) = X ⊕ Y ⊕ Z g ( t ) = (3 · t ) mod 16 48 ≤ t ≤ 63: f t ( X , Y , Z ) = Y ⊕ ( X ∨ ¬ Z ) g ( t ) = (7 · t ) mod 16 The set of constants K i is based on sin: K i = ⌊| sin( i + 1) | · 2 32 ⌋ Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 14/ 46

HF MD5/SHA1 History History First Second Third The MD5 Compression Function (cont.) The rotation constants ( s i ) are Rotation Constants 7 12 17 22 7 12 17 22 7 12 17 22 7 12 17 22 5 9 14 20 5 9 14 20 5 9 14 20 5 9 14 20 4 11 16 23 4 11 16 23 4 11 16 23 4 11 16 23 6 10 15 21 6 10 15 21 6 10 15 21 6 10 15 21 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 15/ 46

HF MD5/SHA1 History History First Second Third The Shortcomings of the MD/SHA Family ◮ First of all, these hash functions are Merkle-Damg˚ ard ones, susceptible all the attacks on such hash functions. Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 16/ 46